From 9bb88a15e0297e3a3e8e713267bc399164e0cdd6 Mon Sep 17 00:00:00 2001 From: Tomas Babej Date: Wed, 14 May 2014 13:22:20 +0200 Subject: sudorule: Make sure all the relevant attributes are checked when setting category to ALL https://fedorahosted.org/freeipa/ticket/4341 Reviewed-By: Petr Viktorin --- ipalib/plugins/sudorule.py | 53 +++++++++++++++++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 12 deletions(-) (limited to 'ipalib/plugins/sudorule.py') diff --git a/ipalib/plugins/sudorule.py b/ipalib/plugins/sudorule.py index 95631a4b6..3d6bc7042 100644 --- a/ipalib/plugins/sudorule.py +++ b/ipalib/plugins/sudorule.py @@ -1,7 +1,7 @@ # Authors: # Jr Aquino # -# Copyright (C) 2010 Red Hat +# Copyright (C) 2010-2014 Red Hat # see file 'COPYING' for use and warranty information # # This program is free software; you can redistribute it and/or modify @@ -404,22 +404,51 @@ class sudorule_mod(LDAPUpdate): self.obj.check_order_uniqueness(*keys, **options) else: self.obj.check_order_uniqueness(*keys, **options) + try: _entry_attrs = ldap.get_entry(dn, self.obj.default_attributes) except errors.NotFound: self.obj.handle_not_found(*keys) - if is_all(options, 'usercategory') and 'memberuser' in _entry_attrs: - raise errors.MutuallyExclusiveError(reason=_("user category cannot be set to 'all' while there are allowed users")) - if is_all(options, 'hostcategory') and 'memberhost' in _entry_attrs: - raise errors.MutuallyExclusiveError(reason=_("host category cannot be set to 'all' while there are allowed hosts")) - if is_all(options, 'cmdcategory') and ('memberallowcmd' or - 'memberdenywcmd') in _entry_attrs: - raise errors.MutuallyExclusiveError(reason=_("command category cannot be set to 'all' while there are allow or deny commands")) - if is_all(options, 'ipasudorunasusercategory') and 'ipasudorunas' in _entry_attrs: - raise errors.MutuallyExclusiveError(reason=_("user runAs category cannot be set to 'all' while there are users")) - if is_all(options, 'ipasudorunasgroupcategory') and 'ipasudorunasgroup' in _entry_attrs: - raise errors.MutuallyExclusiveError(reason=_("group runAs category cannot be set to 'all' while there are groups")) + error = _("%(type)s category cannot be set to 'all' " + "while there are allowed %(objects)s") + + category_info = [( + 'usercategory', + ['memberuser', 'externaluser'], + error % {'type': _('user'), 'objects': _('users')} + ), + ( + 'hostcategory', + ['memberhost', 'externalhost', 'hostmask'], + error % {'type': _('host'), 'objects': _('hosts')} + ), + ( + 'cmdcategory', + ['memberallowcmd'], + error % {'type': _('command'), 'objects': _('commands')} + ), + ( + 'ipasudorunasusercategory', + ['ipasudorunas', 'ipasudorunasextuser', + 'ipasudorunasextusergroup'], + error % {'type': _('runAs user'), 'objects': _('runAs users')} + ), + ( + 'ipasudorunasgroupcategory', + ['ipasudorunasgroup', 'ipasudorunasextgroup'], + error % {'type': _('group runAs'), 'objects': _('runAs groups')} + ), + ] + + + # Enforce the checks for all the categories + for category, member_attrs, error in category_info: + any_member_attrs_set = any(attr in _entry_attrs + for attr in member_attrs) + + if is_all(options, category) and any_member_attrs_set: + raise errors.MutuallyExclusiveError(reason=error) return dn -- cgit